Analytics and Performance Management Products

EPM Client cert authentication

If you are planning to use client cert authentication against EPM (http://docs.oracle.com/cd/E17236_01/epm.1112/epm_security_11121/frameset.htm?ch02s13s04.html), there are a few additional elements to consider on top of the documentation:

"SSLVerifyclient required|optional" in Oracle Http Server "OHS".

This ssl parameter is , amongst other tasks, using trusted certificates in OHS wallet to filter out client certificates in the digital certificates browser prompt. That is, if you have client certificates signed by a trusted root that is not in OHS wallet, then these certificates won't show up in the browser prompt to pick the certificate.

HYPLOGIN header sent by OHS through the following entry:

RequestHeader set HYPLOGIN "%{SSL_CLIENT_CERT}e"

OHS HYPLOGIN header value turns out to be like this (note the question marks):

?----BEGIN CERTIFICATE---- MII....-----BEGIN CERTIFICATE---- ?

When using the java certificate factory ((X509Certificate)CertificateFactory.getInstance("X.509").generateCertificate) to get the DN, you need to remove these unneeded question marks in your CSS custom login class.

It is good practice to add

RequestHeader set HYPLOGIN ""

at the top of your VirtualHost, while the SSL_CLIENT_CERT header value will be set in your location entry.